spring-security ACL tutorial

Question

I need to add Roles and Permissions and Access-Lists to our project. I found this but I found it a bit too basic and specific.

Is there a better tutorial/article/example that I should read or follow before implementing?

Answer 1

I didn't like the specificity of the provided tutorial either. I don't have a link to a tutorial, but perhaps I can give you a few road signs to guide you in the direction of a solution.

What I did was to create my own ACL and Permissions. I created a new class SecuredEntity which is the parent class of all of my domain entities which need ACL support. This was possible in my situation as I was starting from the ground up. Obviously you could use composition rather than inheritance if you cannot extend a common ancestor.

This SecuredEntity contains my own implementation of an ACL, which basically is a map of principals to permissions. A principal is either an account id, or a role, or a group. Each user has a set of principals which they can act as which is the set {the user's own account, all the roles of the user, and any groups the account is a part of}.

I then implemented a custom PermissionEvaluator which retrieves the principals set for the user indicated by the provided Authentication, and then examines the indicated object to determine if the user has indicated permission.

After registering the custom permission evaluator with both the Default expression handler and the web expression handler, I could then use expressions such as

@PreAuthorize("hasPermission(#entityId, 'EntityClass', 'read')")
@RequestMapping("/entities/{entityId}") 
public String fetchEntity(@PathVariable("entityId") String entityId) {...}